3

Well we have an in house server manager (like Webmin, only more specific), comprising of a bunch of C CGI programs and CGI Perl scripts, some of which require root privileges (adding system users, managing passwords, dealing with mail queues etc. ) to be executed.

Currently Apache works as a reverse proxy and passes requests to another web server (Xitami) that listens on localhost, running as root.

So my question is, that instead of running a web server as root (even if its on 127.0.0.1), is it any different from doing a setuid root on the specific cgi directories/programs/scripts that absolutely require root privileges to execute ? Or are both equally insecure ? What could be the best possible solution/practice in this scenario ?

Mohit Chawla
  • 486
  • 1
  • 4
  • 11

1 Answers1

0

It is better to setuid root only those CGI that need such access, instead of running the whole web server as root.

Even better would be to use SELinux or RBAC (or similar mechanism, you didn't specify what platform you're using) so that privileged operations do not actually need root.

Urgoll
  • 681
  • 3
  • 6
  • Ah, yes. This is on Debian. Thanks for pointing towards SELinux, but am not sure how much will it interfere with our present scheme of things and at what levels will it require integration and how much overhead will be introduced. – Mohit Chawla Aug 31 '10 at 17:41
  • Another option would be to split the functionality to reduce the exposure of the root account. For example, let's take the password managemnt. That could be split into two parts; the first is the web part that deals with collecting the information from the user and doing data validation. This would then call a helper program that would be setuid root (if indeed required) but would be executable only by the web server. – Urgoll Sep 01 '10 at 00:24
  • The main issue with the web server running as root is that ALL cgi will be run as root even if not required; all disk access are done as root (bypassing the standard file permissions); any bug in the web server or CGI that allows remote code execution would be really bad and result in handing the whole server to attackers. – Urgoll Sep 01 '10 at 00:26
  • Thanks Urgoll, what you say makes sense, will work on finding the appropriate solution. – Mohit Chawla Sep 01 '10 at 03:32